We noticed that server logs debug info to the stdout.
First idea was path traversal, because server stores files with the names from the requests:
path = './' + eikooc + '/' + path
Path traversal in the path didn't work at all, but
eikooc (reversed cookie) was a user directory. So we sent such payload:
TEG / PTTH\1.1 eikooc: ../